Embed Size (px)
Citation preview
IBM Software Data Sheet
IBM QRadar Security Intelligence Platform appliancesComprehensive, state-of-the-art solutions providingnext-generation security intelligence
Highlights●● ● ●Get integrated log management, security
information and event management (SIEM), data storage, incident forensics, full packet capture, and risk and vulnera-bility management
●● ● ●Monitor network flow data and Layer 7 application payloads, increasing visibility into network activity
●● ● ●Deploy quickly and easily as a centralized all-in- on e system or with a distributed architecture using preconfigured systems
●● ● ●Utilize specialized configurations for virtu-alized environments
●● ● ●Provide high availability and disaster recovery
●● ● ●Deliver rapid time-t o-v alue with predefined rules and report templates
IBM® QRadar® Security Intelligence Platform appliances combine typically disparate network and security management capabilities into a single, comprehensive solution. Appliance versions are offered for IBM Security QRadar Log Manager, IBM Security QRadar SIEM, IBM Security QRadar Data Node, IBM Security QRadar Incident Forensics, IBM Security QRadar Packet Capture, IBM Security QRadar Vulnerability Manager and IBM Security QRadar Risk Manager. For additional network visibility, IBM Security QRadar QFlow Collector and IBM Security QRadar VFlow Collector solutions can be added to the platform’s network analysis and content capture capabilities.
QRadar Security Intelligence Platform appliances are preconfigured, optimized systems that do not require expensive external storage, third- party databases or ongoing database administration. Deployment options include dedicated, high-performance appliances; Linux- based software packages; and virtualized appliances for VMware-based environments.
Organizations use these appliances to protect and grow with their businesses by addressing:
●● ● Log management—Collection, archiving and analysis of events from various network and security devices, systems and applications
●● ● SIEM—Integrated log management and network f low collection with advanced correlation, anomaly detection, workflow and reporting capabilities
2
Data SheetIBM Software
●● ● Event collector, event processor and data storage nodes—Event correlation, indexing, search capabilities and storage
●● ● Flow processing—Layer 4 NetFlow and Layer 7 QFlow collection and correlation
●● ● Risk and vulnerability management—Proactive configuration audit, risk and compliance policy assessment, and advanced threat simulation
●● ● Incident forensics and full packet capture—Quick and easy, in-depth security incident investigation
●● ● High availability and disaster recovery—Backup capabilities to help ensure continuous operations
IBM Security QRadar Log Manager appliancesQRadar Log Manager appliances are ideal for organizations that need simplified capabilities for log management today, with the ability to expand capacity for event processing and upgrade to a full SIEM solution in the future. These appliances are designed to meet the needs of small and midsized organizations, as well as large businesses that are geographically dispersed and require an enterprise-class, highly scalable solution.
The QRadar Log Manager all-in- one appliance is an entry- level system that utilizes on-board event collection and correla -tion. It can easily expand as the organization grows, with the ability to support hundreds of thousands of events per second through conversion into a console (distributed) deployment with the addition of separate event processor appliances.
Larger organizations can utilize the QRadar Log Manager console appliance with its external event collection and correla-tion approach, which allows for dedicated search processing, distributed correlation, reporting and central administration of a distributed log management deployment. Console appliances require at least one add-on event processor .
The scalable QRadar architecture includes distributed event processor and event collector appliances for real-time collec -tion, storage, indexing, correlation and analysis. Large, multi- appliance deployments can support more than one million events per second, with all data correlated in real time. For situations where network connectivity is either unreliable or temporarily unavailable, or in locations with low event volumes, event collector appliances can be deployed to collect events and forward them to an event processor or all-in- one appliance.
IBM Security QRadar 1605 and 1628 event processor appliancesQRadar event processor appliances provide scalable event collection and correlation for organizations of all sizes. The IBM Security QRadar 1605 and 1628 event processor appli-ances are expansion solutions that can be deployed in conjunc-tion with QRadar Log Manager and QRadar SIEM console appliances. They offer turnkey collection, storage, indexing and real-time correlation of log data and can be deployed in a distributed manner that can support some of the largest deployments in the world.
IBM Security QRadar 1501 event collector appliancesQRadar event collector appliances provide continuous event logging when network connectivity is unavailable. Event collec-tor appliances simply collect events and forward them to an event processor or all-in- one appliance for correlation, analysis and long-term storage. Also designed to collect events and logs in distributed locations with relatively low event volumes (such as retail stores and satellite offices), they provide a more economical approach than deploying event processors in such scenarios.
3
Data SheetIBM Software
IBM Security QRadar SIEM appliancesQRadar SIEM appliances deliver integrated log management and security intelligence technology for organizations of all sizes. Available in either all-in- one or distributed deployment configurations, they are ideal for growing organizations that seek maximum security and compliance. These appliances offer the ability to correlate logs, network f lows, vulnerabilities, user identities, threat intelligence and other security telemetry. QRadar SIEM appliances often serve as the base platform for large, geographically dispersed businesses that require an enterprise-class, scalable solution.
The QRadar SIEM appliance architecture offers an easy-to- deploy, scalable model through the use of distributed event and f low processor appliances. An event processor appliance (see 1605 or 1628 descriptions within the QRadar Log Manager table) can perform real-time collection, storage, indexing, correlation and analysis of up to 40,000 events (logs) per second. A f low processor appliance can perform real-time collection, storage, indexing, correlation and analysis of up to 1,200,000 bidirectional f lows per minute. Large, multi- appliance deployments can support more than one million events per second, and millions of f lows per minute, with all data correlated in real time.
The IBM Security QRadar SIEM 2100 all-in- one appliance delivers a single appliance for small and midsized organizations. It provides an integrated security solution, and its intuitive user interface makes it easy to deploy in minutes. The QRadar SIEM 2100 all-in- one appliance also includes an embedded version of IBM Security QRadar QFlow Collector, which provides Layer 7 collection of network traffic f lows and deep application visibility for advanced threat detection and forensic capabilities. No additional event processors or f low processors can be used to expand this system.
The IBM Security QRadar SIEM 3105 and 3128 all-in- one appliances utilize on-board event and f low collection and correlation capabilities, providing a single-appliance solution. They are expandable into console configurations in which separate event and f low processor appliances are used to collect and store data. These appliances can directly collect events from all supported log sources, as well as NetFlow, J-Flow , sFlow and IPFIX data from network devices. They can also utilize external QRadar QFlow Collector and QRadar VFlow Collector appliances for Layer 7 network analysis and content capture.
QRadar Log Manager solutions can begin as a single turnkey appliance and grow into highly distributed solutions, supporting multiple event processor and event collector appliances when network availability conditions warrant.
Sample IBM Security QRadar Log Manager 3105distributed deployment
QRadar web console
Routers Switches IDS Firewall
Routers, switches and othernetwork devices exporting event data
Security devicesexporting logs
1605
1501 1605
3105
4
Data SheetIBM Software
Security QRadar Log Manager appli-ance features
2100 all-in-one
3105 all-in-one
3128 all-in-one
3105 console
3128 console
1501 event collector
1605 event processor
1628 event processor
Single turnkey solution X X X
Part of distributed solution X X X X X
Event collection, correlation, analysis and storage
Max. 1,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Max. 15,000 EPS (sustained)
Not applicable
Not applicable
Collection and forwarding only*
Max. 20,000 EPS (sustained)
Max. 40,000 EPS (sustained)
Long- term data storage 1.5 TB 6.2 TB 40 TB 6.2 TB 40 TB 600 GB 6.2 TB 40 TB
Support for high availability and disaster recovery
X X X X X X X
QRadar SIEM solutions can start small with an all- in- one solution and grow to support enterprise environments, using a centralized console and any number of distributed event and network flow collection appliances.
Sample IBM Security QRadar SIEM 2100all-in-one deployment
Sample IBM Security QRadar SIEM 3128distributed deployment
QRadar web console QRadar web console
Routers, switches and othernetwork devices exporting
event and flow data
QFlow collection onpassive tap
Routers Switches
IDS
Firewall
2100 3128
1728
1202 1628
Layer 4 NetFlow forexternal flow services
Layer 7 data analysisthrough SPAN or tap
Collection of log events from network andsecurity infrastructure
RoutersServers Switches IDS Firewall Laptop
5
Data SheetIBM Software
The IBM Security QRadar SIEM 3105 and 3128 console appliances utilize external event and f low processor appliances, allowing the console to perform dedicated search processing, offense management, reporting and central administration of the distributed SIEM deployment. At least one add-on event processor, f low processor, or combined event and f low processor appliance is required. Teamed with one or more
QRadar QFlow Collector appliances, the console can also receive Layer 7 network analysis and content capture while aggregating other network activity data, such as NetFlow, J-Flow , sFlow and IPFIX. QRadar VFlow Collector appliances provide the same visibility and network f low collection for VMware virtual environments.
Security QRadar SIEM appliance features
2100 all-in-one
3105 all-in-one
3128 all-in-one
3105 console
3128 console
1705 flow processor
1728 flow processor
1805 event/flow processor
1828 event/flow processor
Single turnkey solution
X X X
Part of distributed solution
X X X X X X
Event collection, correlation, analysis and storage
Max. 1,000 EPS (sustained)
Max. 5,000 EPS (sustained)
Max. 15,000 EPS (sustained)
Not applicable
Not applicable
Not applicable
Not applicable
Max. 5,000 EPS (sustained)
Max. 15,000 EPS (sustained)
Support for expandable log source (devices) data
Not applicable
Requires console conversion
Requires console conversion
Requires 1605/1628 event processor appliances
Requires 1605/1628 event processor appliances
Not applicable
Not applicable
Not applicable
Not applicable
Flow collection, correlation, analysis and storage
Max. 50,000 bidirectional flows/ minute
Max. 200,000 bidirectional flows/ minute
Max. 300,000 bidirectional flows/ minute
Not applicable
Not applicable
Max. 600,000 bidirectional flows/ minute
Max. 1.2 million bidirectional flows/ minute
Max. 200,000 bidirectional flows/ minute
Max. 300,000 bidirectional flows/ minute
Optional use of QFlow and VFlow Collectors
On-board QFlow Collector included
X X Requires 1705/1728 flow processor appliances
Requires 1705/1728 flow processor appliances
X X X X
Long-term data storage
1.5 TB 6.2 TB 40 TB 6.2 TB 40 TB 6.2 TB 40 TB 6.2 TB 40 TB
Support for high availability and disaster recovery
X X X X X X X X X
6
Data SheetIBM Software
IBM Security QRadar 1705 and 1728 flow processor appliancesIBM Security QRadar f low processor appliances provide scal-able f low collection, correlation and storage for organizations of all sizes. These appliances are expansion appliances deployed in conjunction with QRadar SIEM all-in- one or QRadar SIEM console appliances. They offer turnkey collection, storage, indexing and real-time correlation of f low data and are designed to be deployed in a distributed manner. QRadar f low processor appliances collect and analyze network f low data in a variety of formats including NetFlow, J-Flow , sFlow, and IPFIX. They can also process Layer 7 application-level data gathered by QRadar QFlow Collector appliances.
IBM Security QRadar 1805 and 1828 combined event and flow processor appliancesIBM Security QRadar 1805 and 1828 combined event and f low processor appliances provide event and network activity monitoring and correlation for remote or branch offices and for large, distributed organizations seeking scalable solutions. They are expansion appliances for use with QRadar SIEM console systems.
IBM Security QFlow and VFlow Collector appliances for Layer 7 visibilityQRadar QFlow Collector and VFlow Collector appliances offer a powerful solution for gathering rich network activity data in both physical and virtual infrastructures. They surpass tradi-tional f low data (such as NetFlow) by using deep packet inspec-tion to collect more detailed and revealing Layer 7 data. This enables application-level network activity analysis and the detection of anomalies, such as large spikes in traffic volumes. This information, when correlated with event data, enables a more advanced analysis of the overall security posture of the network.
QRadar QFlow Collector appliances gather network traffic passively through network taps and SPAN ports. They can detect more than 1,000 applications such as Voice over Internet Protocol (VoIP), social media such as Twitter and LinkedIn, multimedia including Skype, enterprise resource planning (ERP), and peer to peer (P2P), among many others. QFlow Collector appliances must be paired with either a 17XX f low processor, an 18XX combined event and f low processor, or an all-in-one SIEM appliance.
There are four QRadar QFlow Collector models:
●● ● IBM Security QRadar 1201 QFlow Collector: Offers midrange, multi-port collection capabilities for underutilized gigabit Ethernet connections
●● ● IBM Security QRadar 1202 QFlow Collector: Provides line-rate gigabit Ethernet network performance and multi- port f lexibility for copper-based networks; is well suited for collecting and monitoring high rates of network traffic at the data center and core of an enterprise
●● ● IBM Security QRadar 1301 QFlow Collector: Provides line-rate gigabit Ethernet network performance with multi- port f lexibility for fiber-based networks; is well suited for col -lecting and monitoring high rates of network traffic at the data center and core of an enterprise
●● ● IBM Security QRadar 1310 QFlow Collector: Delivers advanced network and application visibility and collection on 10-Gbps Ethernet networks
QRadar VFlow Collector appliances are virtual activity moni-tors that provide the same collection and visibility for virtual network and server resources as QRadar QFlow Collector appliances provide for physical resources. QRadar VFlow Collector appliances are virtual appliances that connect to the
7
Data SheetIBM Software
virtual switch within a VMware virtual host. They can support up to four virtual interfaces and up to 10,000 bidirectional f lows per minute. The product can also analyze port-mirrored traffic for a physical network switch, helping bridge the gap between the physical and virtual realms.
IBM Security QRadar Data Node appliancesIBM Security QRadar Data Node appliances (14XX Series) provide a cost-effective solution for increasing the data storage capacity and analytical processing performance of QRadar deployments. QRadar Data Node appliances can be clustered around event processors and f low processors, giving them access to the storage capacity and processing capability of each licensed data collection device. This allows aggregate storage deployments to grow to potentially hundreds of terabytes while simultaneously adding processing power to support data que-ries. Intelligent algorithms can distribute incoming data across data nodes in a manner optimal for both querying and storage. QRadar Data Node appliances are available as a software package or virtual appliance.
IBM Security QRadar Incident Forensics appliancesIBM Security QRadar Incident Forensics appliances are designed to significantly reduce the amount of time required to investigate a security incident. They help eliminate the need for expensive, specialized forensics training, and offer an intui-tive user interface capable of rapidly searching through tera-bytes of network f low data. The appliances incorporate an Internet-style search engine interface, and provide clarity around what happened, when, who was involved, and what data was accessed or transferred. As a result, QRadar Incident Forensics appliances help remediate a network breach and prevent it from succeeding again.
IBM Security QRadar Packet Capture appliancesIBM Security QRadar Packet Capture appliances are compan-ion offerings to QRadar Incident Forensics, designed to expand security data collection capabilities beyond log events and net-work f lows to include full packet captures and digitally stored text, voice and image files. Packet captures contain the full context of information f lowing through a network, and include useful metadata along with the full “payload” contents of the session.
IBM Security QRadar Vulnerability Manager appliancesIBM Security QRadar Vulnerability Manager appliances can help organizations proactively identify security weaknesses so they can take corrective action before a breach occurs. These appliances can perform network security scans, consolidate results, find vulnerabilities and help prioritize remediation efforts. Through integration with IBM Security QRadar SIEM, QRadar Vulnerability Manager appliances can add rich context and help lower costs by removing the need for an additional point product. They are available as a software package or virtual appliance.
IBM Security QRadar Risk Manager appliancesIBM Security QRadar Risk Manager appliances deliver proactive risk management for organizations of all sizes by extending QRadar SIEM capabilities to provide multi-vendor configuration audit, risk/compliance policy assessment, continu -ous monitoring and advanced threat simulation. These systems are deployed as an add-on to an existing IBM Security QRadar SIEM solution.
IBM Security QRadar high- availability and disaster-r ecovery appliancesEasy-to- deploy IBM Security QRadar high-availability appli -ances provide fully automated disk synchronization and failover for high availability of data collection, correlation, analysis and reporting.
IBM Security QRadar disaster-recovery appliances provide a means of safeguarding collected event and f low data by mirror-ing it to a secondary, identical backup appliance deployment. QRadar disaster-recovery appliances can be used in conjunction with QRadar high-availability solutions to achieve optimal system protection.
Why IBM?IBM operates a worldwide security research, development and delivery organization comprising 10 security operations centers, 10 IBM Research centers, 17 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM solutions empower organizations to reduce their security vulnerabilities and focus more on the success of their strategic initiatives. These products build on the threat intelligence expertise of the IBM X-Force® research and development team to provide a preemptive approach to security. As a trusted partner in secu-rity, IBM delivers the solutions to keep the entire enterprise infrastructure, including the cloud, protected from the latest security risks.
For more informationTo learn more about IBM QRadar Security Intelligence Platform appliances, contact your IBM representative or IBM Business Partner, or visit: ibm.com/security
For more information about IBM Security QRadar SIEM soft-ware, please see the “IBM Security QRadar SIEM” data sheet.
© Copyright IBM Corporation 2014
IBM Corporation Software Group Route 100 Somers, NY 10589
Produced in the United States of America June 2014
IBM, the IBM logo, ibm.com, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT . IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.
* EPS controlled by upstream event processor
Please Recycle
WGD03019-USEN-02
